Single Sign-On Implementation Guide - salesforce.comresources.docs.salesforce.com/.../pdf/salesforce_single_sign_on.pdf · Single Sign-On Implementation Guide Salesforce, ... single

Single Sign-On ImplementationGuide

Salesforce, Summer ’16

@salesforcedocsLast updated: July 26, 2016

https://twitter.com/salesforcedocs

© Copyright 2000–2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.

CONTENTS

Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

About SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Configuring SAML Settings for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Working With Your Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Identity Provider Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Customize SAML Start, Error, Login, and Logout Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Example SAML Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Viewing Single Sign-On Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Validating SAML Settings for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

SAML Assertion Validation Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Reviewing the SAML Login History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About Just-in-Time Provisioning for SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Just-in-Time Provisioning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Just-in-Time Provisioning for Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Just-in-Time Provisioning for Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Just-in-Time Provisioning Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Best Practices for Implementing Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Enable Single Sign-On for Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Understanding Delegated Authentication Single Sign-On . . . . . . . . . . . . . . . . . . . . . . 45

Configuring Salesforce for Delegated Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Sample Delegated Authentication Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

SINGLE SIGN-ON

EDITIONS

Available in: both SalesforceClassic and LightningExperience

Federated Authentication isavailable in: All Editions

Delegated Authentication isavailable in: Professional,Enterprise, Performance,Unlimited, Developer, andDatabase.com Editions

Authentication Providers areavailable in: Professional,Enterprise, Performance,Unlimited, and DeveloperEditions

USER PERMISSIONS

To view the settings:• “View Setup and

Configuration”

To edit the settings:• “Customize Application”

AND

“Modify All Data”

Single sign-on allows users to access all authorized network resources without having to log inseparately to each resource. You validate usernames and passwords against your corporate userdatabase or other client application rather than having separate user passwords managed bySalesforce.

Salesforce offers the following ways to use single sign-on:

• Federated authentication using Security Assertion Markup Language (SAML) allows you to sendauthentication and authorization data between affiliated but unrelated Web services. Thisenables you to sign on to Salesforce from a client application. Federated authentication usingSAML is enabled by default for your organization.

• Delegated authentication single sign-on enables you to integrate Salesforce with anauthentication method that you choose. This enables you to integrate authentication with yourLDAP (Lightweight Directory Access Protocol) server, or perform single sign-on by authenticatingusing a token instead of a password. You manage delegated authentication at the permissionlevel, allowing some users to use delegated authentication, while other users continue to usetheir Salesforce-managed password. Delegated authentication is set by permissions, not byorganization.

The primary reasons for using delegated authentication include:

– Using a stronger type of user authentication, such as integration with a secure identityprovider

– Making your login page private and accessible only behind a corporate firewall

– Differentiating your organization from all other companies that use Salesforce in order toreduce phishing attacks

You must request that this feature be enabled by Salesforce. Contact Salesforce to enabledelegated authentication single sign-on for your organization.

• Authentication providers let your users log in to your Salesforce organization using their logincredentials from an external service provider. Salesforce supports the OpenId Connect protocolthat allows users to log in from any OpenID provider such as Google, PayPal, LinkedIn and otherservices supporting OpenID Connect. When authentication providers are enabled, Salesforcedoes not validate a user’s password. Instead, Salesforce uses the user’s login credentials from the external service provider to establishauthentication credentials.

When you have an external identity provider, and configure single sign-on for your Salesforce organization, Salesforce is then acting asa service provider. You can also enable Salesforce as an identity provider, and use single sign-on to connect to a different service provider.Only the service provider needs to configure single sign-on.

The Single Sign-On Settings page displays which version of single sign-on is available for your organization. To learn more about thesingle sign-on settings, see Configuring SAML Settings for Single Sign-On. For more information about SAML and Salesforce security,see the Security Implementation Guide.

Benefits of Single Sign-On

Implementing single sign-on can offer the following advantages to your organization:

1

https://help.salesforce.com/apex/HTViewHelpDoc?id=identity_provider_about.htm&language=en_US

https://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf

• Reduced Administrative Costs: With single sign-on, users only need to memorize a single password to access both networkresources or external applications and Salesforce. When accessing Salesforce from inside the corporate network, users are loggedin seamlessly, without being prompted to enter a username or password. When accessing Salesforce from outside the corporatenetwork, the users’ corporate network login works to log them in. With fewer passwords to manage, system administrators receivefewer requests to reset forgotten passwords.

• Leverage Existing Investment: Many companies use a central LDAP database to manage user identities. By delegating Salesforceauthentication to this system, when a user is removed from the LDAP system, they can no longer access Salesforce. Consequently,users who leave the company automatically lose access to company data after their departure.

• Time Savings: On average, a user takes five to 20 seconds to log in to an online application; longer if they mistype their usernameor password and are prompted to reenter them. With single sign-on in place, the need to manually log in to Salesforce is avoided.These saved seconds add up to increased productivity.

• Increased User Adoption: Due to the convenience of not having to log in, users are more likely to use Salesforce on a regular basis.For example, users can send email messages that contain links to information in Salesforce such as records and reports. When therecipients of the email message click the links, the corresponding Salesforce page opens automatically.

• Increased Security: Any password policies that you have established for your corporate network will also be in effect for Salesforce.In addition, sending an authentication credential that is only valid for a single use can increase security for users who have accessto sensitive data.

2

Single Sign-On

About SAML

EDITIONS





USER PERMISSIONS


Configuration”


AND


Security Assertion Markup Language (SAML) is an XML-based standard that allows you tocommunicate authentication decisions between one service and another. It underlies many Websingle sign-on solutions. Salesforce supports SAML for single sign-on into Salesforce from a corporateportal or identity provider.

Much of the work to set up single sign-on using SAML occurs with your identity provider:

1. Establish a SAML identity provider and gather information about how they will connect toSalesforce. This is the provider that will send single sign-on requests to Salesforce.

2. Provide information to your identity provider, such as the URLs for the start and logout pages.

3. Configure Salesforce using the instructions in Configuring SAML Settings for Single Sign-On.This is the only step that takes place in Salesforce.

Your identity provider should send SAML assertions to Salesforce using the SAML Web SingleSign-on Browser POST profile. Salesforce sends SAML responses to the Identity ProviderLogin URL specified under Setup, by entering Single Sign-On in the Quick Findbox, then selecting Single Sign-On Settings. Salesforce receives the assertion, verifies it againstyour Salesforce configuration, and allows single sign-on if the assertion is true.

If you have problems with the SAML assertion after you configure Salesforce for SAML, use theSAML Assertion Validator to validate the SAML assertion. You may need to obtain a SAML assertionfrom your identity provider.

If your users are having problems using SAML to login, you can review the SAML login history todetermine why they were not able to log in and share that information with your identity provider.

If your identity provider supports metadata, and if you've configured SAML using version 2.0, youcan click Download Metadata to download an XML configuration file to send them, which theycan then upload to automatically configure their settings for connecting to your Salesforceorganization or community.

3

About SAMLSingle Sign-On

CONFIGURING SAML SETTINGS FOR SINGLE SIGN-ON

EDITIONS





USER PERMISSIONS


Configuration”


AND


From this page, you can configure your organization to use single sign-on. You can also set upjust-in-time provisioning. Work with your identity provider to properly configure these settings. Formore information about single sign-on, see Single Sign-On. For more information about just-in-timeprovisioning, see About Just-In-Time Provisioning.

To configure SAML settings for single sign-on from your corporate identity provider to Salesforce:

1. Gather information from your identity provider.

2. Provide information to your identity provider.

3. Set up single sign-on.

4. Set up an identity provider to encrypt SAML assertions (optional).

5. Enable Just-in-Time user provisioning (optional).

6. Edit the SAML JIT handler if you selected Custom SAML JIT with Apex Handlerfor Just-in-Time provisioning.

7. Test the single sign-on connection.

Set up single sign-on

1. In Salesforce, from Setup, enter Single Sign-On Settings in the Quick Findbox, then select Single Sign-On Settings, and click Edit.

2. Select SAML Enabled. You must enable SAML to view the SAML single sign-on settings.

3. Specify the SAML version used by your identity provider.

4. Click Save.

5. In SAML Single Sign-On Settings, click the appropriate button to create a new configuration,as follows.

• New - Specify all settings manually.

• New from Metadata File - Import SAML 2.0 settings from a XML file from your identityprovider. This option reads the XML file and uses it to complete as many of the settings as possible.

Note: If your XML file contains information for more than one configuration, the first configuration that occurs in the XMLfile is used.

• New from Metadata URL - Import SAML 2.0 settings from a public URL. This option reads the XML file located at a public URLand uses it to complete as many of the settings as possible. The URL must be added to Remote Site Settings to access it fromyour Salesforce org.

6. Give this setting a Name for reference within your organization.

Salesforce inserts the corresponding API Name value, which you can customize if necessary.

7. Enter the Issuer. This is often referred to as the entity ID for the identity provider.

4

8. If your Salesforce organization has domains deployed, specify whether you want to use the base domain(https://saml.salesforce.com) or the custom domain for the Entity ID. You must share this information with youridentity provider.

Tip: Generally, use the custom domain as the entity ID. If you already have single sign-on configured before deploying adomain, the base domain is the entity ID. If you are providing Salesforce to Salesforce services, you must specify the customdomain.

9. For the Identity Provider Certificate, use the Browse button to locate and upload the authentication certificateissued by your identity provider.

10. For the Request Signing Certificate, select the certificate you want from the ones saved in your Certificate and KeyManagement settings.

11. For the Request Signature Method, select the hashing algorithm for encrypted requests, either RSA-SHA1 orRSA-SHA256.

12. Optionally, if the identity provider encrypts SAML assertions, select the Assertion Decryption Certificate they’reusing from the ones saved in your Certificate and Key Management settings. This field is available only if your organizationsupports multiple single sign-on configurations. For more information, see Set up an identity provider to encrypt SAML assertions.

13. For the SAML Identity Type, SAML Identity Location, and other fields described in Identity Provider Values,specify the values provided by your identity provider as appropriate.

14. For the Service Provider Initiated Request Binding, select the appropriate value based on the informationprovided by your identity provider.

15. For SAML 2.0, if your identity provider has specific login or logout pages, specify them in Identity Provider Login URL and IdentityProvider Logout URL, respectively.

Note: These fields appear in Developer Edition and sandbox organizations by default and in production organizations onlyif My Domain is enabled. The fields do not appear in trial organizations or sandboxes linked to trial organizations.

16. For the Custom Error URL, specify the URL of the page users should be directed to if there's an error during SAML login. Itmust be a publicly accessible page, such as a public site Visualforce page. The URL can be absolute or relative.

17. Optionally, set up Just-in-Time user provisioning. For more information, see Enable Just-in-Time user provisioning and AboutJust-in-Time Provisioning for SAML..

18. Click Save.

If your identity provider supports metadata, and if you've configured SAML using version 2.0, you can click Download Metadata todownload an XML configuration file to send them, which they can then upload to automatically configure their settings for connectingto your Salesforce organization or community.

Set up an identity provider to encrypt SAML assertions

When Salesforce is the service provider for inbound SAML assertions, you can pick a saved certificate to decrypt inbound assertions fromthird party identity providers. You need to provide a copy of this certificate to the identity provider.

1. In the Single Sign-On Settings page in Setup, add a new SAML configuration.

2. In the Assertion Decryption Certificate field, specify the certificate for encryption from the ones saved in yourCertificate and Key Management settings.

Note: If you don’t see the Assertion Decryption Certificate field you need to enable multiple single sign-onfor your organization (this applies to organizations created before the Summer ’13 release that are not using SAML 1.1).To

5

Configuring SAML Settings for Single Sign-On

https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_overview.htm&language=en_US

enable multiple single sign-on configurations, select Enable Multiple Configs on the Single Sign-On Settings page. If thissetting has already been enabled, the field appears, and you won’t see the Enable Multiple Configs button.

3. Set the SAML Identity Location to the element where your identifier is located.

4. When you save the new SAML configuration, your organization’s SAML settings value for the Salesforce Login URL (alsoknown as the “Salesforce ACS URL”) changes. Get the new value (from the Single Sign-On Settings page in Setup), and click thename of the new SAML configuration. The value is in the Salesforce Login URL field.

5. The identity provider must use the Salesforce Login URL value.

6. You also need to provide the identity provider with a copy of the certificate selected in the Assertion DecryptionCertificate field to use for encrypting assertions.

Enable Just-in-Time user provisioning

1. In SAML Single Sign-On Settings, select User Provisioning Enabled.

• Standard - This option allows you to provision users automatically using attributes in the assertion.

• Custom SAML JIT with Apex handler - This option provisions users based on logic in an Apex class.

2. If you selected Standard, click Save and test the single sign-on connection.. If you selected Custom SAML JIT withApex handler, proceed to the next step.

3. In the SAML JIT Handler field, select an existing Apex class as the SAML JIT handler class. This class must implement theSamlJitHandler interface. If you do not have an Apex class, you can generate one by clicking Automatically create aSAML JIT handler template. You must edit this class and modify the default content before using it. For more information,see Edit the SAML JIT handler.

4. In the Execute Handler As field, select the user that runs the Apex class. The user must have “Manage Users” permission.

5. Just-in-time provisioning requires a Federation ID in the user type. In SAML Identity Type, select Assertion containsthe Federation ID from the User object. If your identity provider previously used the Salesforce username,communicate to them that they must use the Federation ID.

6. Click Save.

Edit the SAML JIT handler

1. From Setup, enter Apex Classes in the Quick Find box, then select Apex Classes.

2. Edit the generated Apex SAML JIT handler to map fields between SAML and Salesforce. In addition, you can modify the generatedcode to support the following:

• Custom fields

• Fuzzy profile matching

• Fuzzy role matching

• Contact lookup by email

• Account lookup by account number

• Standard user provisioning into a community

• Standard user login into a community

• Default profile ID usage for portal Just-in-Time provisioning

6


https://developer.salesforce.com/docs/atlas.en-us.202.0.apexcode.meta/apexcode/apex_interface_Auth_SamlJitHandler.htm

• Default portal role usage for portal Just-in-Time provisioning

• Username generation for portal Just-in-Time provisioning

For example, to support custom fields in the generated handler code, find the “Handle custom fields here” comment in the generatedcode. After that code comment, insert your custom field code. For more information and examples, see the SamlJitHandler Interfacedocumentation.

Note: If your identity provider sends JIT attributes for the Contact or Account object with the User object in the same assertion,the generated handler may be unable to make updates. For a list of User fields that cannot be updated at the same time as theContact or Account fields, see sObjects That Cannot Be Used Together in DML Operations.

Test the single sign-on connection

After you have configured and saved your SAML settings, test them by trying to access the identity provider's application. Your identityprovider directs the user's browser to POST a form containing SAML assertions to the Salesforce login page. Each assertion is verified,and if successful, single sign-on is allowed.

If you have difficulty signing on using single sign-on after you have configured and saved your SAML settings, use the SAML AssertionValidator. You may have to obtain a SAML assertion from your identity provider first.

If your users are having problems using SAML to login, you can review the SAML login history to determine why they were not able tolog in and share that information with your identity provider.

If you are using SAML version 2.0, after you've finished configuring SAML, the OAuth 2.0 Token Endpoint field is populated. Use this withthe Web single sign-on authentication flow for OAuth 2.0.

7




https://developer.salesforce.com/docs/atlas.en-us.202.0.apexcode.meta/apexcode/apex_dml_non_mix_sobjects.htm

Working With Your Identity Provider

EDITIONS





USER PERMISSIONS


Configuration”


AND


1. You must gather the following information from your identity provider before configuringSalesforce for SAML.

• The version of SAML the identity provider uses (1.1 or 2.0)

• The entity ID of the identity provider (also known as the issuer)

• An authentication certificate.

Tip: Be sure to store the certificate where you can access it from your browser. Thiswill be uploaded to Salesforce in a later step.

• The following SAML assertion parameters, as appropriate:

– The SAML user ID type

– The SAML user ID location

– Attribute Name

– Attribute URI

– Name ID format

Note: Attribute Name, Attribute URI, and Name ID format are only necessary if theSAML User ID Location is in an Attribute element, and not the name identifierelement of a Subject statement.

Tip: To set up single sign-on quickly, you can import SAML 2.0 settings from an XMLfile (or a URL pointing to the file) on the Single Sign-On Settings page. Obtain theXML from your identity provider.

You may also want to share more information about these values with your identity provider.

Tip: Enable Salesforce for SAML and take a screenshot of the page for your identityprovider. From Setup, enter Single Sign-On Settings in the Quick Findbox, then select Single Sign-On Settings, click Edit, then select SAML Enabled.

2. Work with your identity provider to setup the start, login, and logout pages.

3. Share the example SAML assertions with your identity provider so they can determine the format Salesforce requires for successfulsingle sign-on.

8

Working With Your Identity ProviderConfiguring SAML Settings for Single Sign-On

Identity Provider Values

EDITIONS





USER PERMISSIONS


Configuration”


AND


Before you can configure Salesforce for SAML, you must receive information from your identityprovider. This information must be used on the single sign-on page.

The following information might be useful for your identity provider.

DescriptionField

The version of SAML your identity provider uses. Salesforce currentlysupports version 1.1 and 2.0. The SAML specifications for the variousversions are linked below:

SAML Version

• SAML 1.1

• SAML 2.0

The Entity ID—a URL that uniquely identifies your SAML identity provider.SAML assertions sent to Salesforce must match this value exactly in the<saml:Issuer> attribute of SAML assertions.

Issuer

The issuer in SAML requests generated by Salesforce, and is also theexpected audience of any inbound SAML Responses. If you don’t havedomains deployed, this value is alwayshttps://saml.salesforce.com. If you have domains deployed,Salesforce recommends that you use your custom domain name. Youcan find the value on the Single Sign-On Settings page. From Setup,enter Single Sign-On Settings in the Quick Find box,then select Single Sign-On Settings.

Entity ID

The authentication certificate issued by your identity provider.IdentityProviderCertificate

The certificate (saved in the Certificate and Key Management page inSetup) used to generate the signature on a SAML request to the identityprovider when Salesforce is the service provider for a service

RequestSigningCertificate

provider-initiated SAML login. If a certificate has not been saved in theCertificate and Key Management page in Setup, Salesforce uses the globalproxy certificate by default. Using a saved signing certificate providesmore control over events, such as certificate expiration, than using theglobal proxy certificate.

The hashing algorithm for encrypted requests, either RSA-SHA1 orRSA-SHA256.

RequestSignatureMethod

The element in a SAML assertion that contains the string that identifiesa Salesforce user. Values are:

Assertion contains User’s Salesforce usernameUse this option if your identity provider passes the Salesforceusername in SAML assertions.

SAML IdentityType

9

Identity Provider ValuesConfiguring SAML Settings for Single Sign-On

http://www.oasis-open.org/specs/#samlv1.1

http://www.oasis-open.org/specs/#samlv2.0


DescriptionField

Assertion contains the Federation ID from the User objectUse this option if your identity provider passes an external user identifier, for example an employeeID, in the SAML assertion to identify the user.

Assertion contains the User ID from the User objectUse this option if your identity provider passes an internal user identifier, for example a user IDfrom your Salesforce organization, in the SAML assertion to identify the user.

The location in the assertion where a user should be identified. Values are:

Identity is in the NameIdentifier element of the Subjectstatement

The Salesforce Username or FederationIdentifier is located in the <Subject>statement of the assertion.

SAML IdentityLocation

Identity is in an Attribute elementThe Salesforce Username or FederationIdentifier is specified in an<AttributeValue>, located in the <Attribute> of the assertion.

If “Identity is in an Attribute element” is selected, this contains the value of theAttributeName that is specified in <Attribute> that contains the User ID.

Attribute Name

If SAML 1.1 is the specified SAML version and “Identity is in an Attribute element”is selected, this contains the value of the AttributeNamespace that is specified in<Attribute>.

Attribute URI

If SAML 2.0 is the specified SAML version and “Identity is in an Attribute element”is selected, this contains the value for the nameid-format. Possible values include

Name ID Format

unspecified, emailAddress or persistent. All legal values can be found in the “NameIdentifier Format Identifiers” section of the Assertions and Protocols SAML 2.0 specification.

If you’re using My Domain, chose the binding mechanism your identity provider requests for yourSAML messages. Values are:

HTTP POSTHTTP POST binding sends SAML messages using base64-encoded HTML forms.

Service ProviderInitiated RequestBinding

HTTP RedirectHTTP Redirect binding sends base64-encoded and URL-encoded SAML messages within URLparameters.

No matter what request binding is selected, the SAML Response will always use HTTP POST binding.

For SAML 2.0 only: The URL where Salesforce sends a SAML request to start the login sequence.

If you have domains deployed and a value specified for this field, login requests are usually sent tothe address specified by this field. However, if you need to bypass this value (for example, your

Identity ProviderLogin URL

identity provider is down) add the login parameter to the query string for the login page. Forexample: http://mydomain.my.salesforce.com?login.

Note: This field appears in Developer Edition production and sandbox organizations bydefault and in production organizations only if My Domain is enabled. This field does notappear in trial organizations or sandboxes linked to trial organizations.

10


http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf


DescriptionField

For SAML 2.0 only: The URL to direct the user to when they click the Logout link in Salesforce. Thedefault is http://www.salesforce.com.

Identity ProviderLogout URL

Note: This field appears in Developer Edition production and sandbox organizations bydefault and in production organizations only if My Domain is enabled. This field does notappear in trial organizations or sandboxes linked to trial organizations.

The URL associated with logging in for the Web browser single sign-on flow.Salesforce Login URL

For SAML 2.0 only: The ACS URL used with the API when enabling Salesforce as an identity providerin the Web single sign-on OAuth assertion flow.

OAuth 2.0 TokenEndpoint

The URL of the page users should be directed to if there’s an error during SAML login. It must be apublicly accessible page, such as a public site Visualforce page. The URL can be absolute or relative.

Custom Error URL

Start, Login, and Logout URL ValuesIn addition to the information used during the single sign-on, your identity provider can also set the start, login, and logout pages. Youcan also specify these pages yourself when you configure single sign-on.

The following information might be useful to your identity provider if they are setting these pages.

• The SAML specification supports an HTML form that is used to pass the SAML assertion via HTTPS POST.

• For SAML 1.1, the SAML identity provider can embed name-value pairs in the TARGET field to pass this additional information toSalesforce prepended with a specially formatted URL that contains URL-encoded parameters.

• The URL for SAML 1.1 to include in the TARGET field is as follows: https://saml.salesforce.com/?

• For SAML 2.0, instead of using the TARGET field, the identity providers uses the <AttributeStatement> in the SAMLassertion to specify the additional information.

• Salesforce supports the following parameters:

Note: For SAML 1.1 these parameters must be URL-encoded. This allows the URLs, passed as values that include their ownparameters, to be handled correctly. For SAML 2.0, these parameters are part of the <AttributeStatement>.

– ssoStartPage is the page to which the user should be redirected when trying to log in with SAML. The user is directed tothis page when requesting a protected resource in Salesforce, without an active session. The ssoStartPage should be theSAML identity provider’s login page.

– startURL is the URL where you want the user to be directed when sign-on completes successfully. This URL can be absolute,such as https://yourInstance.salesforce.com/001/o or it can be relative, such as /001/o. This parameteris only used in SAML 1.1. In SAML 2.0, the start URL is the page the user attempted to access before they were authenticated.

– logoutURL is the URL where you want the user to be directed when they click the Logout link in Salesforce. The default ishttp://www.salesforce.com.

The following sample TARGET field is for SAML 1.1, and includes properly-encoded parameters. It passes a customized start page, aswell as start and logout URLs embedded as parameter values in the query string.

https://saml.salesforce.com/?ssoStartPage=https%3A%2F%2Fwww.customer.org%2Flogin%2F&startURL=%2F001%2Fo&logoutURL=http%3A%2F%2Fwww.salesforce.com

11


The following is an example of an <AttributeStatement> for SAML 2.0 that contains both ssoStartPage and logoutURL:

<saml:AttributeStatement><saml:Attribute Name="ssoStartPage"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">http://www.customer.org

</saml:AttributeValue></saml:Attribute>

<saml:Attribute Name="logoutURL"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">

https://www.salesforce.com</saml:AttributeValue>

</saml:Attribute></saml:AttributeStatement>

12


Customize SAML Start, Error, Login, and Logout Pages

EDITIONS





USER PERMISSIONS


Configuration”


AND


You can customize the start, error, login, and logout pages for single sign-on users using SAML 1.1or 2.0. As part of your configuration, decide the following:

• If your identity provider uses SAML 1.1, the URL to direct the user to when single sign-onsuccessfully completes (known as the start page). This URL can be absolute, such ashttps://yourInstance.salesforce.com/001/o or it can be relative, such as/001/o. This URL must be an endpoint that accepts SAML authentication requests.

In SAML 2.0, the start page is the page the user attempted to access before they wereauthenticated. The SAML 2.0 start page must support Sp-init single sign-on.

If you are using SAML 2.0, you can also use the RelayState parameter to control whereusers get redirected after a successful login.

• The single sign-on start page where Salesforce sends a SAML request to start the login sequence.

We recommend that if you specify a single sign-on start page that you also specify a logoutpage. When you specify a logout page, when a user clicks logout or if a user’s session expires,the user is redirected to that page. If you don’t specify a logout page, the user is redirected tothe general Salesforce login page.

• The URL to direct the user to when they click the Logout link in Salesforce (known as the logoutpage). The default is https://login.salesforce.com, unless MyDomain is enabled.If My Domain is enabled, the default ishttps://customdomain.my.salesforce.com.

For SAML 2.0, these values can be set either during the single sign-on configuration, or by youridentity provider in the login URL or SAML assertion. The order of precedence is:

1. Session cookie—if you’ve already logged in to Salesforce and a cookie still exists, the login andlogout pages specified by the session cookie are used.

2. Values passed in from the identity provider.

3. Values from the single sign-on configuration page.

If you decide not to add these values to the single sign-on configuration, share them with youridentity provider. The identity provider must use these values either in the login URL or the assertion.

You can also decide if you want users to be directed to a custom error page if there’s an error during SAML login: It must be a publiclyaccessible page, such as a public site Visualforce page. The URL can be absolute or relative. Use this value when you configure SAML.

13

Customize SAML Start, Error, Login, and Logout PagesConfiguring SAML Settings for Single Sign-On

Example SAML Assertions

EDITIONS





USER PERMISSIONS


Configuration”


AND


Share the example SAML assertions with your identity provider so they can determine the formatof the information Salesforce requires for successful single-sign on. The assertion must be signedaccording to the XML Signature specification, using RSA and either SHA-1 or SHA-256.

In addition to the general single sign-on examples for both SAML 1.1 and SAML 2.0, use the followingsamples for the specific feature:

• assertions for portals

• assertions for Sites

• SOAP message for delegated authentication

• assertion for just-in-time provisioning

SAML User ID type is the Salesforce username, and SAML User ID location is the<NameIdentifier> element in the <Subject> element

SAML 1.1:

<Subject><NameIdentifier>[email protected]</NameIdentifier>

</Subject>

SAML 2.0:

<saml:Subject><saml:NameID

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2008-06-26T02:44:24.173Z"

Recipient="http://localhost:9000"/></saml:SubjectConfirmation>

</saml:Subject>

14

Example SAML AssertionsConfiguring SAML Settings for Single Sign-On

http://www.w3.org/TR/xmldsig-core/

SAML User ID type is the Salesforce username, and SAML User ID location is the <Attribute> elementSAML 1.1:

<AttributeStatement><Subject><NameIdentifier>this value doesn't matter</NameIdentifier>

<SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>

</SubjectConfirmation></Subject>

<Attribute AttributeName="MySfdcName" AttributeNamespace="MySfdcURI"><AttributeValue>[email protected]</AttributeValue>

</Attribute></AttributeStatement>

SAML 2.0:

<saml:AttributeStatement><saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME"


xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]


</saml:AttributeStatement>

SAML User ID type is the Salesforce User object's FederationIdentifier field, and SAML User ID location is the<NameIdentifier> element in the <Subject> element

SAML 1.1:

<AttributeStatement><saml:Subject>

<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0:assertion"NameQualifier="www.saml_assertions.com">

MyName</saml:NameIdentifier>

</saml:Subject></AttributeStatement>

SAML 2.0:

<saml:Subject><saml:NameID

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">MyName</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml:SubjectConfirmationData NotOnOrAfter="2008-06-26T02:48:25.730Z"Recipient="http://localhost:9000/"/>

</saml:SubjectConfirmation></saml:Subject>

Note: The name identifier can be any arbitrary string, including email addresses or numeric ID strings.

15


SAML User ID type is theSalesforce User object's FederationIdentifier field, and SAML User ID location is the<Attribute> element

SAML 1.1:

<AttributeStatement><Subject><NameIdentifier>who cares</NameIdentifier>

<SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>

</SubjectConfirmation></Subject>

<Attribute AttributeName="MyName" AttributeNamespace="MyURI"><AttributeValue>user101</AttributeValue>

</Attribute></AttributeStatement>

SAML 2.0:

<saml:AttributeStatement><saml:Attribute FriendlyName="fooAttrib" Name="SFDC_ATTR"


xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user101



SAML User ID type is the Salesforce username, and SAML User ID location is the <NameIdentifier> element in the<Subject> element

The following is a complete SAML response for SAML 2.0:

<samlp:Response ID="_257f9d9e9fa14962c0803903a6ccad931245264310738"IssueInstant="2009-06-17T18:45:10.738Z" Version="2.0">

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.salesforce.com

</saml:Issuer>

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

<saml:Assertion ID="_3c39bc0fe7b13769cab2f6f45eba801b1245264310738"IssueInstant="2009-06-17T18:45:10.738Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">

https://www.salesforce.com</saml:Issuer>

<saml:Signature><saml:SignedInfo>

<saml:CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<saml:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

16


<saml:Reference URI="#_3c39bc0fe7b13769cab2f6f45eba801b1245264310738"><saml:Transforms>

<saml:TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<saml:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds saml xs"/>

</saml:Transform></saml:Transforms><saml:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><saml:DigestValue>vzR9Hfp8d16576tEDeq/zhpmLoo=</saml:DigestValue>

</saml:Reference></saml:SignedInfo><saml:SignatureValue>

AzID5hhJeJlG2llUDvZswNUrlrPtR7S37QYH2W+Un1n8c6kTCXr/lihEKPcA2PZt86eBntFBVDWTRlh/W3yUgGOqQBJMFOVbhKM/CbLHbBUVT5TcxIqvsNvIFdjIGNkf1W0SBqRKZOJ6tzxCcLo9dXqAyAUkqDpX5+AyltwrdCPNmncUM4dtRPjI05CL1rRaGeyX3kkqOL8p0vjm0fazU5tCAJLbYuYgU1LivPSahWNcpvRSlCI4ePn2oiVDyrcc4et12inPMTc2lGIWWWWJyHOPSiXRSkEAIwQVjfQm5cpli44Pv8FCrdGWpEE0yXsPBvDkM9jIzwCYGG2fKaLBag==

</saml:SignatureValue><saml:KeyInfo>

<saml:X509Data><saml:X509Certificate>

MIIEATCCAumgAwIBAgIBBTANBgkqhkiG9w0BAQ0FADCBgzELM[Certificate truncated for readability...]

</saml:X509Certificate></saml:X509Data>

</saml:KeyInfo></saml:Signature>

<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">

[email protected]</saml:NameID>


Recipient="https://login.salesforce.com"/></saml:SubjectConfirmation>

</saml:Subject>

<saml:Conditions NotBefore="2009-06-17T18:45:10.738Z"NotOnOrAfter="2009-06-17T18:50:10.738Z">

<saml:AudienceRestriction><saml:Audience>https://saml.salesforce.com</saml:Audience>

</saml:AudienceRestriction></saml:Conditions>

<saml:AuthnStatement AuthnInstant="2009-06-17T18:45:10.738Z"><saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

17


</saml:AuthnContextClassRef></saml:AuthnContext>

</saml:AuthnStatement>

<saml:AttributeStatement>

<saml:Attribute Name="portal_id"><saml:AttributeValue xsi:type="xs:anyType">060D00000000SHZ</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="organization_id"><saml:AttributeValue xsi:type="xs:anyType">00DD0000000F7L5</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="ssostartpage"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">http://www.salesforce.com/security/saml/saml20-gen.jsp


<saml:Attribute Name="logouturl"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml:AttributeValue xsi:type="xs:string">http://www.salesforce.com/security/del_auth/SsoLogoutPage.html


</saml:AttributeStatement></saml:Assertion></samlp:Response>

Sample SAML Assertions for PortalsThe following shows the portal_id and organization_id attributes in a SAML assertion statement:

<saml:AttributeStatement><saml:Attribute Name="portal_id">

<saml:AttributeValue xsi:type="xs:anyType">060D00000000SHZ</saml:AttributeValue></saml:Attribute>

<saml:Attribute Name="organization_id"><saml:AttributeValue xsi:type="xs:anyType">00DD0000000F7P5</saml:AttributeValue>


18


The following is a complete SAML assertion statement that can be used for single sign-on for portals. The organization is using federatedsign-on, which is included in an attribute (see the <saml:AttributeStatement> in bold text in the assertion), not in the subject.

<samlp:Response ID="_f97faa927f54ab2c1fef230eee27cba21245264205456"IssueInstant="2009-06-17T18:43:25.456Z" Version="2.0">

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.salesforce.com</saml:Issuer>

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

<saml:Assertion ID="_f690da2480a8df7fcc1cbee5dc67dbbb1245264205456"IssueInstant="2009-06-17T18:45:10.738Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">

https://www.salesforce.com</saml:Issuer>

<saml:Signature><saml:SignedInfo>

<saml:CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<saml:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<saml:Reference URI="#_f690da2480a8df7fcc1cbee5dc67dbbb1245264205456"><saml:Transforms>

<saml:TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<saml:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds saml xs"/>

</saml:Transform></saml:Transforms><saml:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><saml:DigestValue>vzR9Hfp8d16576tEDeq/zhpmLoo=</saml:DigestValue>

</saml:Reference></saml:SignedInfo><saml:SignatureValue>

AzID5hhJeJlG2llUDvZswNUrlrPtR7S37QYH2W+Un1n8c6kTCXr/lihEKPcA2PZt86eBntFBVDWTRlh/W3yUgGOqQBJMFOVbhKM/CbLHbBUVT5TcxIqvsNvIFdjIGNkf1W0SBqRKZOJ6tzxCcLo9dXqAyAUkqDpX5+AyltwrdCPNmncUM4dtRPjI05CL1rRaGeyX3kkqOL8p0vjm0fazU5tCAJLbYuYgU1LivPSahWNcpvRSlCI4ePn2oiVDyrcc4et12inPMTc2lGIWWWWJyHOPSiXRSkEAIwQVjfQm5cpli44Pv8FCrdGWpEE0yXsPBvDkM9jIzwCYGG2fKaLBag==

</saml:SignatureValue><saml:KeyInfo>

<saml:X509Data><saml:X509Certificate>

MIIEATCCAumgAwIBAgIBBTANBgkqhkiG9w0BAQ0FADCBgzELMCertificate truncated for readability...

</saml:X509Certificate></saml:X509Data>

</saml:KeyInfo></saml:Signature>

19


<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">null

</saml:NameID>


Recipient="https://login.salesforce.com/?saml=02HKiPoin4f49GRMsOdFmhTgi_0nR7BBAflopdnD3gtixujECWpxr9klAw"/></saml:SubjectConfirmation>

</saml:Subject>

<saml:Conditions NotBefore="2009-06-17T18:43:25.456Z"NotOnOrAfter="2009-06-17T18:48:25.456Z">

<saml:AudienceRestriction><saml:Audience>https://saml.salesforce.com</saml:Audience>

</saml:AudienceRestriction></saml:Conditions>

<saml:AuthnStatement AuthnInstant="2009-06-17T18:43:25.456Z">

<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

</saml:AuthnContextClassRef></saml:AuthnContext>

</saml:AuthnStatement>


<saml:Attribute FriendlyName="Friendly Name" Name="federationId"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:string">saml_portal_user_federation_id</saml:AttributeValue><saml:AttributeValue xsi:type="xs:string">SomeOtherValue</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="portal_id"><saml:AttributeValue xsi:type="xs:anyType">060D00000000SHZ</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="organization_id"><saml:AttributeValue xsi:type="xs:anyType">00DD0000000F7Z5</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="ssostartpage"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">

20


http://www.salesforce.com/qa/security/saml/saml20-gen.jsp</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="logouturl"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml:AttributeValue xsi:type="xs:string">http://www.salesforce.com/qa/security/del_auth/SsoLogoutPage.html


</saml:AttributeStatement></saml:Assertion>

</samlp:Response>

Sample SAML Assertion for SitesThe following shows the portal_id, organization_id, and siteurl attributes in a SAML assertion statement:

<saml:AttributeStatement><saml:Attribute Name="portal_id">

<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:anyType">060900000004cDk

</saml:AttributeValue></saml:Attribute><saml:Attribute Name="organization_id">

<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:anyType">00D900000008bX0

</saml:AttributeValue></saml:Attribute><saml:Attribute Name="siteurl">

<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:anyType">https://ap1.force.com/mySuffix</saml:AttributeValue>


Sample SOAP Message for Delegated AuthenticationAs part of the delegated authentication single sign-on process, a Salesforce server makes a SOAP 1.1 request to authenticate the userwho is passing in the credentials. Here is an example of this type of request. Your single sign-on Web service needs to accept this request,process it, and return a true or false response.

Sample Request

<?xml version="1.0" encoding="UTF-8" ?><soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body>

<Authenticate xmlns="urn:authentication.soap.sforce.com"><username>[email protected]</username><password>myPassword99</password>

21


<sourceIp>1.2.3.4</sourceIp></Authenticate>

</soapenv:Body></soapenv:Envelope>

Sample Response Message

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body>

<AuthenticateResult xmlns="urn:authentication.soap.sforce.com"><Authenticated>false</Authenticated>

</AuthenticateResult></soapenv:Body>

</soapenv:Envelope>

Sample SAML Assertion for Just-In-Time ProvisioningThe following is a sample SAML assertion for just in time provisioning.


<saml:Attribute Name="User.Username"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.Phone"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">415-123-1234</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.FirstName"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">Testuser</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.LanguageLocaleKey"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">en_US</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.CompanyName"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">Salesforce.com</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.Alias"

22


NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">tlee2</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.CommunityNickname"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">tlee2</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.UserRoleId"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">000000000000000</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.Title"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">Mr.</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.LocaleSidKey"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">en_CA</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.Email"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name=" User.FederationIdentifier"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">tlee2</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.TimeZoneSidKey"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">America/Los_Angeles</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.LastName"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">Lee</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.ProfileId"

23


NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">00ex0000001pBNL</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.IsActive"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">1</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="User.EmailEncodingKey"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">UTF-8</saml:AttributeValue>

</saml:Attribute>


24


VIEWING SINGLE SIGN-ON SETTINGS

EDITIONS





USER PERMISSIONS


Configuration”


AND


After you have configured your Salesforce organization to use SAML, you can view the single sign-onsettings. From Setup, enter Single Sign-On Settings in the Quick Find box, thenselect Single Sign-On Settings.

This page lists the details of your SAML configuration. Most of these fields are the same as the fieldson the page where you configured SAML. The following fields contain information automaticallygenerated by completing the configuration. The available fields depend on your configuration.

DescriptionField

For SAML 2.0 only. If you select “Assertion contains User's Salesforceusername” for SAML User ID Type and “User ID is in theNameIdentifier element of the Subject statement” for SAML UserID Location, this URL is the URL associated with login for the Websingle sign-on OAuth assertion flow.

SalesforceLogin URL

For SAML 2.0. Displays the Salesforce logout URL that the user is directedto after he or she logs off. This URL is only used if no value is specifiedfor Identity Provider Logout URL.

SalesforceLogout URL

For SAML 2.0 only: The ACS URL used with enabling Salesforce as anidentity provider in the Web single sign-on OAuth assertion flow.

OAuth 2.0Token Endpoint

From this page you can do any of the following:

• Click Edit to change the existing SAML configuration.

• Click SAML Assertion Validator to validate the SAML settings for your organization using aSAML assertion provided by your identity provider.

• If your identity provider supports metadata, and if you've configured SAML using version 2.0,you can click Download Metadata to download an XML configuration file to send them, whichthey can then upload to automatically configure their settings for connecting to your Salesforceorganization or community.

25

VALIDATING SAML SETTINGS FOR SINGLE SIGN-ON

EDITIONS





USER PERMISSIONS


Configuration”


AND


If your users have difficulty logging into Salesforce after you configure Salesforce for single sign-on,use the SAML Assertion Validator and the login history to validate the SAML assertions sent by youridentity provider.

1. Obtain a SAML assertion from your identity provider. The assertion can be either in plain XMLformat or base64 encoded.

If a user tries to log in to Salesforce and fails, the invalid SAML assertion is used to automaticallypopulate the SAML Assertion Validator if possible.

2. From Setup, enter Single Sign-On Settings in the Quick Find box, then selectSingle Sign-On Settings, then click SAML Assertion Validator.

3. Enter the SAML assertion into the text box, and click Validate.

4. Share the results of the validation errors with your identity provider.

26

SAML Assertion Validation Errors

EDITIONS





USER PERMISSIONS


Configuration”


AND


Salesforce imposes the following validity requirements on assertions:

Authentication StatementThe identity provider must include an <AuthenticationStatement> in the assertion.

Conditions StatementIf the assertion contains a <Conditions> statement, it must contain a valid timestamp.

TimestampsThe validity period specified in an assertion is honored. In addition, an assertion's timestampmust be less than five minutes old, plus or minus three minutes, regardless of the assertion'svalidity period setting. This allows for differences between machines. The NotBefore andNotOnOrAfter constraints must also be defined and valid.

AttributeIf your Salesforce configuration is set to Identity is in an Attribute element,the assertion from the identity provider must contain an <AttributeStatement>.

If you are using SAML 1.1, both <AttributeName> and <AttributeNamespace>are required as part of the <AttributeStatement>.

If you are using SAML 2.0, only <AttributeName> is required.

FormatThe Format attribute of an <Issuer> statement must be set to"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" or not set atall.

For example:

<saml:IssuerFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.salesforce.com</saml:Issuer>

The following example is also valid:

<saml:Issuer >https://www.salesforce.com</saml:Issuer>

IssuerThe issuer specified in an assertion must match the issuer specified in Salesforce.

SubjectThe subject of the assertion must be resolved to be either the Salesforce username or the Federation ID of the user.

AudienceThe <Audience> value is required and must match the Entity ID from the single sign-on configuration. The default valueis https://saml.salesforce.com.

27

SAML Assertion Validation ErrorsValidating SAML Settings for Single Sign-On

RecipientThe recipient specified in an assertion must match either the Salesforce login URL specified in the Salesforce configuration or theOAuth 2.0 token endpoint. This is a required portion of the assertion and is always verified.

SignatureA valid signature must be included in the assertion. The signature must be created using the private key associated with the certificatethat was provided in the SAML configuration.

RecipientVerifies that the recipient and organization ID received in the assertion matches the expected recipient and organization ID, asspecified in the single sign-on configuration. This is an optional portion of the assertion and is only verified if it’s present. For example:

Recipient that we found in the assertion: http://aalbert-salesforce.com:8081/?saml=02HKiPoin4zeKLPYxfj3twkPsNSJF3fxsH0Jnq4vVeQr3xNkIWmZC_IVk3

Recipient that we expected based on the Single Sign-On Settings page:http://asmith.salesforce.com:8081/?saml=EK03Almz90Cik_ig0L97.0BRme6mT4o6nzi0t_JROL6HLbdR1WVP5aQO5w

Organization Id that we expected: 00Dx0000000BQlIOrganization Id that we found based on your assertion: 00D000000000062

Site URL AttributeVerifies if a valid Sites URL is provided. Values are:

• Not Provided

• Checked

• Site URL is invalid

• HTTPS is required for Site URL

• The specified Site is inactive or has exceeded its page limit

28

SAML Assertion Validation ErrorsValidating SAML Settings for Single Sign-On

REVIEWING THE SAML LOGIN HISTORY

EDITIONS





USER PERMISSIONS


Configuration”


AND


When a user logs in to Salesforce from another application using single sign-on, SAML assertionsare sent to the Salesforce login page. The assertions are checked against assertions in theauthentication certificate that are specified on the Single Sign-On Settings page in Setup. If a userfails to log in, a message is written to the login history log that indicates why the login failed. Inaddition, the SAML Assertion Validator may be automatically populated with the invalid assertion.

To view the login history, from Setup, enter Login History in the Quick Find box, thenselect Login History. After viewing the login history, you may want to share the information withyour identity provider.

The following are the possible failures:

Assertion ExpiredAn assertion’s timestamp is more than five minutes old.

Note: Salesforce does make an allowance of three minutes for clock skew. This means,in practice, that an assertion can be as much as eight minutes after the timestamp time,or three minutes before it. This amount of time may be less if the assertion’s validity periodis less than five minutes.

Assertion InvalidAn assertion is not valid. For example, the <Subject> element of an assertion might bemissing.

Audience InvalidThe value specified in <Audience> must be https://saml.salesforce.com.

Configuration Error/Perm DisabledSomething is wrong with the SAML configuration in Salesforce. For example, the uploadedcertificate might be corrupted, or the organization preference might have been turned off. Tocheck your configuration, from Setup, enter Single Sign-On Settings in the QuickFind box, then select Single Sign-On Settings. Next, get a sample SAML assertion fromyour identity provider, and then click SAML Assertion Validator.

Issuer MismatchedThe issuer or entity ID specified in an assertion does not match the issuer specified in yourSalesforce configuration.

Recipient MismatchedThe recipient specified in an assertion does not match the recipient specified in your Salesforce configuration.

Replay DetectedThe same assertion ID was used more than once. Assertion IDs must be unique within an organization.

Signature InvalidThe signature in an assertion cannot be validated by the certificate in your Salesforce configuration.

Subject Confirmation ErrorThe <Subject> specified in the assertion does not match the SAML configuration in Salesforce.

29

ABOUT JUST-IN-TIME PROVISIONING FOR SAML

EDITIONS


Available in all editions

With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users onthe fly the first time they try to log in. This eliminates the need to create user accounts in advance.For example, if you recently added an employee to your organization, you don't need to manuallycreate the user in Salesforce. When they log in with single sign-on, their account is automaticallycreated for them, eliminating the time and effort with on-boarding the account. Just-in-Timeprovisioning works with your SAML identity provider to pass the correct user information to Salesforcein a SAML 2.0 assertion. You can both create and modify accounts this way. Because Just-in-Timeprovisioning uses SAML to communicate, your organization must have SAML-based single sign-onenabled.

Benefits of Just-in-Time Provisioning

Implementing Just-in-Time provisioning can offer the following advantages to your organization.

• Reduced Administrative Costs: Provisioning over SAML allows customers to create accounts on-demand, as part of the singlesign-on process. This greatly simplifies the integration work required in scenarios where users need to be dynamically provisioned,by combining the provisioning and single sign-on processes into a single message.

• Increased User Adoption: Users only need to memorize a single password to access both their main site and Salesforce. Users aremore likely to use your Salesforce application on a regular basis.

• Increased Security: Any password policies that you have established for your corporate network are also in effect for Salesforce. Inaddition, sending an authentication credential that is only valid for a single use can increase security for users who have access tosensitive data.

Just-in-Time Provisioning Requirements

Just-in-Time provisioning requires the creation of a SAML assertion. Consider the following when creating your SAML assertion.

• Provision Version is supported as an optional attribute. If it isn't specified, the default is 1.0. For example:

<saml:Attribute Name="ProvisionVersion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">1.0</saml:AttributeValue></saml:Attribute>

• ProfileIDs change per organization, even for standard profiles. To make it easier to find the profile name, Salesforce allows you to doa profile name lookup by passing the ProfileName into the ProfileId field.

Field Requirements for the SAML AssertionTo correctly identify which object to create in Salesforce, you must use the User. prefix for all fields passed in the SAML assertion. Inthis example, the User. prefix has been added to the Username field name.

<saml:AttributeName="User.Username"

30

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue>

</saml:Attribute>

The following standard fields are supported.

CommentsRequiredFields

AboutMe

If not present, a default is derived from FirstName and LastName.Alias

CallCenter

City

If not present, a default is derived from the UserName.CommunityNickname

CompanyName

Country

Derived from organization settings.DefaultCurrencyIsoCode

DelegatedApproverId

Department

Division

For example, [email protected]

If not present, a default is derived from the organization settings.EmailEncodingKey

EmployeeNumber

Extension

Fax

If present, it must match the SAML subject, or the SAML subject is takeninstead. Can't be updated with SAML.

FederationIdentifier (insertonly)

FirstName

ForecastEnabled

IsActive

YLastName

LanguageLocaleKey

If not present, a default is derived from the organization settings.LocaleSidKey

Manager

MobilePhone

Phone

31

Just-in-Time Provisioning RequirementsAbout Just-in-Time Provisioning for SAML


For example, User.ProfileId=Standard UserYProfileId

ReceivesAdminInfoEmails

ReceivesInfoEmails

State

Street

If not present, a default is derived from the organization settings.TimeZoneSidKey

Title

For example, [email protected]. Can't updateusing SAML.

YUsername (insert only)

Defaults to “no role” if blank.UserRoleId

Zip

Other field requirements:

• Only text type custom fields are supported.

• Only the insert and update functions are supported for custom fields.

• When using the API for user creation, you can pass the new username into the User.Username field. You can also specify theUser.FederationIdentifier if it is present. However, the Username and FederationIdentifier fields can'tbe updated with API.

Just-in-Time Provisioning for Portals

With Just-in-Time (JIT) provisioning for portals, you can use a SAML assertion to create customer and partner portal users on the fly thefirst time they try to log in. This eliminates the need to create user accounts in advance. Because JIT uses SAML to communicate, yourorganization must have SAML-based single sign-on enabled.

Note: Starting with Summer ’13, Customer Portals and partner portals are no longer available for new organizations. Existingorganizations continue to have access to these portals. If you don’t have a portal, but want to easily share information with yourcustomers or partners, try Communities.

Existing organizations using Customer Portals and partner portals may continue to use their portals or transition to Communities.Contact your Salesforce Account Executive for more information.

Creating Portal UsersThe Portal ID and Organization ID must be specified as part of the SAML assertion. You can find both of these on thecompany information page for the organization or portal. Because you can also provision regular users, the Portal ID is used todistinguish between a regular and portal JIT provisioning request. If no Portal ID is specified, then the request is treated as a JITrequest for regular platform user. Here are the requirements for a creating a portal user.

32

Just-in-Time Provisioning for PortalsAbout Just-in-Time Provisioning for SAML

• You must specify a Federation ID. If the ID belongs to an existing user account, the user account is updated. In case of aninactive user account, the user account is updated, but left inactive unless User.IsActive in the JIT assertion is set to true. Ifthere is no user account with that Federation ID, the system creates a new user.

• If the portal isn’t self-registration enabled and a default new user profile and role aren’t specified, the User.ProfileId fieldmust contain a valid profile name or ID associated with the portal. In addition, the User.PortalRole field must contain a validportal role name or ID.

Note: The User.Role must be null.

Creating and Modifying AccountsCreate or modify an account by specifying a valid Account ID or both the Account.AccountNumber and Account.Name.

• Matching is based on Account.AccountNumber. If multiple accounts are found, an error is displayed. Otherwise, the accountis updated.

• If no matching account is found, one is created.

• You must specify the Account.Owner in the SAML assertion and ensure that the field level security for theAccount.AccountNumber field is set to visible for this owner’s profile.

Creating and Modifying ContactsCreate or modify a contact by specifying the a valid Contact ID in User.Contact or both the Contact.Email andContact.LastName.

• Matching is based on Contact.Email. If multiple contacts are found, an error is displayed. Otherwise, the contact is updated.

• If no matching contact is found, one is created.

Supported Fields for the Portal SAML AssertionTo correctly identify which object to create in Salesforce, you must use a prefix. In the SAML assertion, use the Account prefix for allfields in the Account schema (for example Account.AccountId) and Contact prefix for all fields in the Contact schema. In thisexample, the Contact prefix has been added to the Email field name.

<saml:AttributeName="Contact.Email"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue></saml:Attribute>

In addition to the standard fields supported for regular SAML JIT users, these fields are supported for accounts.


Street|City|State|PostalCode|CountryBilling

AnnualRevenue

Description

Fax

33



If present, it must match the SAML subject or the SAML subject is takeninstead. Can’t be updated using SAML.

YFederationIdentifier (insertonly)

IsCustomerPortal

IsPartner

NumberOfEmployees

Ownership

Phone

Use Worker for all portal users.YPortal Role

Rating

Street

TickerSymbol


Website

Zip

In addition to the standard fields supported for regular SAML JIT users, these fields are supported for contacts.


Birthdate

Name|PhoneCanAllowPortalSelfReg

Department

Description

DoNotCall

Fax

HasOptedOutofEmail

HasOptedOutofFax

HomePhone

LeadSource

Street|City|State|PostalCode|CountryMailing

MobilePhone

Owner

34



Street|City|State|PostalCode|CountryOther

OtherPhone

Phone

Salutation

Title

Just-in-Time Provisioning for Communities

With Just-in-Time (JIT) provisioning for Communities, you can use a SAML assertion to create customer and partner community userson the fly the first time they try to log in from an identity provider. This eliminates the need to create user accounts in advance. BecauseJIT uses SAML to communicate, your organization must have SAML-based single sign-on enabled. Then, you can work with the identityprovider to generate the necessary SAML assertions for JIT.

SAML Single Sign-on SettingsFollow the instructions for Configuring SAML Settings for Single Sign-On with SAML Enabled. Set the values for your configuration,as needed, and also include the following values specific to your community for JIT provisioning.

1. Check User Provisioning Enabled.

Note:

• Just-in-time provisioning requires a Federation ID in the user type. In SAML User ID Type, select Assertion containsthe Federation ID from the User object.

• If your identity provider previously used the Salesforce username, communicate to them that they must use the FederationID.

2. The Entity ID should be unique across your organization and begin with https. You can’t have two SAML configurations withthe same Entity ID in one organization. Specify whether you want to use the base domain (https://saml.salesforce.com)or the community URL (such as https://acme.force.com/customers) for the Entity ID. You must share this informationwith your identity provider.

Tip: Generally, use the community URL as the entity ID. If you are providing Salesforce to Salesforce services, you must specifythe community URL.

3. In SAML User ID Type, select Assertion contains the Federation ID from the User object. Ifyour identity provider previously used the Salesforce username, communicate to them that they must use the Federation ID.

Creating and Modifying Community UsersThe SAML assertion needs the following.

• A Recipient URL. This is the Community Login URL from the SAML Single Sign-On Settings detail page in your organization.The URL is in the following form.

https://<community_URL>/login?so=<orgID>

35

Just-in-Time Provisioning for CommunitiesAbout Just-in-Time Provisioning for SAML

For example, Recipient="https://acme.force.com/customers/login?so=00DD0000000JsCM" whereacme.force.com/customers is the community home page and 00DD0000000JsCM is the Organization ID.

If an Assertion Decryption Certificate has been uploaded to the organization’s SAML Single Sign-On Settings, include the certificateID in the URL using the sc parameter, such asRecipient="https://acme.force.com/customers/login?so=00DD0000000JsCM&sc=0LE000000Dp"where 0LE000000Dp is the certificate ID.

• Salesforce attempts to match the Federation ID in the subject of the SAML assertion (or in an attribute element, dependingupon how the SAML Identity Location is defined in the SAML Single Sign-On Settings) to the FederationIdentifier fieldof an existing user record.

1. If a matching user record is found, Salesforce uses the attributes in the SAML assertion to update the specified fields.

2. If a user with a matching user record isn't found, then Salesforce searches the contacts under the specified Account ID(Contact.Account or Account.AccountNumber) for a match based on the Contact ID (User.ContactId) oremail (Contact.Email).

i. If a matching contact record is found, Salesforce uses the attributes in the SAML assertion to update the specified contactfields, and then inserts a new user record.

ii. If a matching contact record isn't found, then Salesforce searches the accounts for a match based on theContact.Account or both the Account.AccountNumber and Account.Name specified in the SAMLassertion, or updates the existing contact and user records for the account if a match is found..

i. If a matching account record is found, Salesforce inserts a new user record and updates the account records based theattributes provided in the SAML assertion.

ii. If a matching account record isn't found, Salesforce inserts a new account record, inserts a new contact record, andinserts a new user record based on the attributes provided in the SAML assertion.

In the case of an inactive user account, the user account is updated, but left inactive unless User.IsActive in the JIT assertionis set to true. If there is no user account with that Federation ID, the system creates a new user.

• If the community doesn’t have self-registration enabled, and a default new user profile and role aren’t specified, theUser.ProfileId field must contain a valid profile name or ID associated with the community.

Salesforce attempts to match the Federation ID in the subject of the SAML assertion to the FederationIdentifier fieldof an existing user record.

Note: Salesforce also supports custom fields on the User object in the SAML assertion. Any attribute in the assertion that startswith User is parsed as a custom field. For example, the attribute User.NumberOfProductsBought__c in the assertionis placed into the field NumberOfProductsBought for the provisioned user. Custom fields are not supported for Accountsor Contacts.

Supported Fields for the Community SAML AssertionTo correctly identify which object to create in Salesforce, you must use a prefix. In the SAML assertion, use the Account prefix for allfields in the Account schema (for example Account.AccountId) and Contact prefix for all fields in the Contact schema. In thisexample, the Contact prefix has been added to the Email field name.

<saml:AttributeName="Contact.Email"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:anyType">[email protected]</saml:AttributeValue></saml:Attribute>

36


In addition to the standard fields supported for regular SAML JIT users, these fields are supported for accounts.


Street|City|State|PostalCode|CountryBilling

AnnualRevenue

Description

Fax

If present, it must match the SAML subject or the SAML subject is takeninstead. Can’t be updated using SAML.

YFederationIdentifier (insertonly)

IsCustomerPortal

IsPartner

NumberOfEmployees

Ownership

Phone

Portal Role

Rating

Street

TickerSymbol


Website

Zip

In addition to the standard fields supported for regular SAML JIT users, these fields are supported for contacts.


Birthdate

Name|PhoneCanAllowPortalSelfReg

Department

Description

DoNotCall

Fax

HasOptedOutofEmail

HasOptedOutofFax

37



HomePhone

LeadSource

Street|City|State|PostalCode|CountryMailing

MobilePhone

Owner

Street|City|State|PostalCode|CountryOther

OtherPhone

Phone

Salutation

Title

Just-in-Time Provisioning Errors

Following are the error codes and descriptions for Just-in-Time provisioning for SAML.

SAML errors are returned in the URL parameter, for example:

http://login.salesforce.com/identity/jit/saml-error.jsp?ErrorCode=5&ErrorDescription=Unable+to+create+user&ErrorDetails=INVALID_OR_NULL_FOR_RESTRICTED_PICKLIST+TimeZoneSidKey

Note: Salesforce redirects the user to a custom error URL if one is specified in your SAML configuration.

Error Messages

Error DetailsDescriptionCode

MISSING_FEDERATION_IDMissing Federation Identifier1

MISMATCH_FEDERATION_IDMis-matched Federation Identifier2

INVALID_ORG_IDInvalid organization ID3

USER_CREATION_FAILED_ON_UROGUnable to acquire lock4

USER_CREATION_API_ERRORUnable to create user5

ADMIN_CONTEXT_NOT_ESTABLISHEDUnable to establish admin context6

UNRECOGNIZED_CUSTOM_FIELDUnrecognized custom field8

UNRECOGNIZED_STANDARD_FIELDUnrecognized standard field9

LICENSE_LIMIT_EXCEEDEDLicense limit exceeded11

38

Just-in-Time Provisioning ErrorsAbout Just-in-Time Provisioning for SAML


MISMATCH_FEDERATION_ID_AND_USERNAME_ATTRSFederation ID and username do not match12

UNSUPPORTED_VERSIONUnsupported provision API version13

USER_NAME_CHANGE_NOT_ALLOWEDUsername change isn't allowed14

UNSUPPORTED_CUSTOM_FIELD_TYPECustom field type isn't supported15

PROFILE_NAME_LOOKUP_ERRORUnable to map a unique profile ID for the givenprofile name

16

ROLE_NAME_LOOKUP_ERRORUnable to map a unique role ID for the givenrole name

17

INVALID_ACCOUNT_IDInvalid account18

MISSING_ACCOUNT_NAMEMissing account name19

MISSING_ACCOUNT_NUMBERMissing account number20

ACCOUNT_CREATION_API_ERRORUnable to create account22

INVALID_CONTACTInvalid contact23

MISSING_CONTACT_EMAILMissing contact email24

MISSING_CONTACT_LAST_NAMEMissing contact last name25

CONTACT_CREATION_API_ERRORUnable to create contact26

MULTIPLE_CONTACTS_FOUNDMultiple matching contacts found27

MULTIPLE_ACCOUNTS_FOUNDMultiple matching accounts found28

INVALID_ACCOUNT_OWNERInvalid account owner30

INVALID_PORTAL_PROFILEInvalid portal profile31

ACCOUNT_CHANGE_NOT_ALLOWEDAccount change is not allowed32

ACCOUNT_UPDATE_FAILEDUnable to update account33

CONTACT_UPDATE_FAILEDUnable to update contact34

INVALID_STANDARD_ACCOUNT_FIELD_VALUEInvalid standard account field value35

CONTACT_CHANGE_NOT_ALLOWEDContact change not allowed36

INVALID_PORTAL_ROLEInvalid portal role37

CANNOT_UPDATE_PORTAL_ROLEUnable to update portal role38

INVALID_JIT_HANDLERInvalid SAML JIT Handler class39

INVALID_EXECUTION_USERInvalid execution user40

APEX_EXECUTION_ERRORExecution error41

39



UNSUPPORTED_CONTACT_PERSONACCT_UPDATEUpdating a contact with Person Account isn’tsupported

42

40


BEST PRACTICES FOR IMPLEMENTING SINGLE SIGN-ON

EDITIONS




Customer Portals andpartner portals are notavailable in Database.com

USER PERMISSIONS


Configuration”


AND


Salesforce offers the following ways to use single sign-on:

• Federated authentication using Security Assertion Markup Language (SAML) allows you to sendauthentication and authorization data between affiliated but unrelated Web services. Thisenables you to sign on to Salesforce from a client application. Federated authentication usingSAML is enabled by default for your organization.

• Delegated authentication single sign-on enables you to integrate Salesforce with anauthentication method that you choose. This enables you to integrate authentication with yourLDAP (Lightweight Directory Access Protocol) server, or perform single sign-on by authenticatingusing a token instead of a password. You manage delegated authentication at the permissionlevel, allowing some users to use delegated authentication, while other users continue to usetheir Salesforce-managed password. Delegated authentication is set by permissions, not byorganization.


– Using a stronger type of user authentication, such as integration with a secure identityprovider


– Differentiating your organization from all other companies that use Salesforce in order toreduce phishing attacks

You must request that this feature be enabled by Salesforce. Contact Salesforce to enabledelegated authentication single sign-on for your organization.

• Authentication providers let your users log in to your Salesforce organization using their logincredentials from an external service provider. Salesforce supports the OpenId Connect protocolthat allows users to log in from any OpenID provider such as Google, PayPal, LinkedIn and otherservices supporting OpenID Connect. When authentication providers are enabled, Salesforcedoes not validate a user’s password. Instead, Salesforce uses the user’s login credentials fromthe external service provider to establish authentication credentials.

In addition, you can also configure SAML for use with portals as well as for Sites.

Delegated Authentication Best Practices

Consider the following best practices when implementing delegated authentication single sign-on for your organization.

• Your organization’s implementation of the Web service must be accessible by Salesforce servers. This means you must deploy theWeb service on a server in your DMZ. Remember to use your server’s external DNS name when entering the Delegated GatewayURL in the Delegated authentication section in Salesforce (from Setup, enter Single Sign-On Settings in the QuickFind box, then select Single Sign-On Settings).

• If Salesforce and your system cannot connect, or the request takes longer than 10 seconds to process, the login attempt fails. Anerror is reported to the user indicating that his or her corporate authentication service is down.

• Namespaces, element names, and capitalization must be exact in SOAP requests. Wherever possible, generate your server stub fromthe WSDL to ensure accuracy.

41

• For security reasons, you should make your Web service available by TLS. You must use a certificate from a trusted provider, such asVerisign or Thawte. For a full list of trusted providers, contact Salesforce.

• The IP address that originated the login request is sourceIp. Use this information to restrict access based on the user’s location.Note that the Salesforce feature that validates login IP ranges continues to be in effect for single sign-on users. For more information,see Restrict Where and When Users Can Log In to Salesforce.

• You may need to map your organization’s internal usernames and Salesforce usernames. If your organization does not follow astandard mapping, you may be able to extend your user database schema (for example, Active Directory) to include the Salesforceusername as an attribute of a user account. Your authentication service can then use this attribute to map back to a user account.

• We recommend that you do not enable single sign-on for system administrators. If your system administrators are single sign-onusers and your single sign-on server has an outage, they have no way to log in to Salesforce. System administrators should alwaysbe able to log in to Salesforce so they can disable single sign-on in the event of a problem.

• We recommend that you use a Developer Edition account or a sandbox when developing a single sign-on solution beforeimplementing it in your organization. To sign up for a free Developer Edition account, go to developer.salesforce.com.

• Make sure to test your implementation with Salesforce clients such as Salesforce for Outlook, Connect for Office, and Connect Offline.For more information, see Single Sign-On for Salesforce clients.

Federated Authentication using SAML Best Practices

Consider the following best practices when implementing federated single sign-on with SAML for your organization.

• Obtain the Salesforce Login URL value from the Single Sign On Settings configuration page and put it in the correspondingconfiguration parameter of your Identity Provider (sometimes called the “Recipient URL”).

• Salesforce allows a maximum of three minutes for clock skew with your IDP server; make sure your server’s clock is up-to-date.

• If you are unable to log in with SAML assertion, always check the login history and note the error message. Use the SAML AssertionValidator on the Single Sign On Settings configuration page to troubleshoot.

• You need to map your organization’s internal usernames and Salesforce usernames. You have two choices to do this: add a uniqueidentifier to the FederationIdentifier field of each Salesforce user, or extend your user database schema (for example,Active Directory) to include the Salesforce username as an attribute of a user account. Choose the corresponding option for theSAML User ID Type field and configure your authentication service to send the identifier in SAML assertions.

• Before allowing users to log in with SAML assertions, enable the SAML organization preference and provide all the necessaryconfigurations.

• Use the My Domain feature to prevent users from logging in to Salesforce directly, and gives administrators more control over loginpolicies. You can use the URL parameters provided in the Salesforce Login URL value from the Single Sign-On Settingsconfiguration page with your custom domain.

For example, if the Salesforce Login URL is https://login.salesforce.com/?saml=02HKiP...

you can use https://yourDomain.my.salesforce.com/?saml=02HKiP...

• We recommend that you use Developer Edition account or a sandbox when testing a SAML single sign-on solution. To sign up fora free Developer Edition account, go to developer.salesforce.com.

• Sandbox copies are made with federated authentication with SAML disabled. Any configuration information is preserved, exceptthe value for Salesforce Login URL. The Salesforce Login URL is updated to match your sandbox URL, forexample https://yourInstance.salesforce.com/, after you re-enable SAML. To enable SAML in the sandbox, fromSetup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings; then click Edit,and select SAML Enabled.

• Your identity provider must allow you to set the service provider’s audience URL. The value must match the Entity ID value inthe single sign-on configuration. The default value is https://saml.salesforce.com.

42

Best Practices for Implementing Single Sign-On

https://help.salesforce.com/apex/HTViewHelpDoc?id=admin_loginrestrict.htm&language=en_US

https://developer.salesforce.com/

https://developer.salesforce.com/page/Single_Sign-On_for_Salesforce_Clients

https://developer.salesforce.com/

Single Sign-On for Portals Best Practices

Customer Portals and partner portals are not available for new organizations in the Summer ’13 release or later. Use Communities instead.For more information about single sign-on and SAML for Communities, see “Configuring SAML for Communities” in Getting StartedWith Communities. If you continue to use portals, note the following information.

• Only SAML version 2.0 can be used with portals.

• Only Customer Portals and partner portals are supported.

• Service provider initiated login is not supported.

• Both the portal_id and organization_id attributes are required for single sign-on for portals. If only one is specified,the user receives an error.

• If both the portal_id and organization_id attributes are populated in the SAML assertion, the user is directed to thatportal login. If neither is populated, the user is directed to the regular SAML Salesforce login.

• More than one portal can be used with a single organization.

Single Sign-On for Sites Best Practices

• Only SAML version 2.0 can be used with Sites.

• Only Customer Portals and partner portals are supported.

• Service provider initiated login is not supported.

• The portal_id, organization_id and siteUrl attributes are required for single sign-on for Sites. If only one is specified,the user receives an error.

• If all three of the portal_id, organization_id and siteUrl attributes are populated in the SAML assertion, the useris directed to that Sites login. If the siteUrl isn’t populated and the other two are, the user is directed to that portal login.

• More than one portal can be used with a single organization.

43

Best Practices for Implementing Single Sign-On

https://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_communities_implementation.pdf

https://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_communities_implementation.pdf

ENABLE SINGLE SIGN-ON FOR PORTALS

EDITIONS

Available in: SalesforceClassic

Customer Portal is availablein: Enterprise, Performance,Unlimited, and DeveloperEditions

Partner Portal is available in:Enterprise, Performance,and Unlimited Editions

USER PERMISSIONS


Configuration”


AND


Single sign-on allows users to access all authorized network resources without having to log inseparately to each resource. You validate usernames and passwords against your corporate userdatabase or other client application rather than having separate user passwords managed bySalesforce.

You can set up Customer Portals and partner portals to use SAML single sign-on, so that a customeronly has to login once.

Note: Single sign-on with portals is only supported for SAML 2.0.

To enable single sign-on for portals:

1. In addition to the SAML sign-on information that must be gathered and shared with youridentity provider, you must supply your information provider with the Organization ID and thePortal ID. In the SAML assertion that is sent from your identity provider, the portal_id andorganization_id must be added as attributes.

Note: You can leave these attributes blank to differentiate between portal and platformusers. For example, when blank, the user is a regular platform user and when populated,the user is a portal user.

a. From Setup, enter Company Information in the Quick Find box, then selectCompany Information and copy the ID located in the Salesforce OrganizationID.

b. For Customer Portals, from Setup, enter Customer Portal Settings in the QuickFind box, select Customer Portal Settings, click the name of the Customer Portal, andthen copy the ID located in the Portal ID.

c. For partner portals, from Setup, enter Partners in the Quick Find box, then select Settings. Next, click the name ofthe partner portal, and copy the ID located in the Salesforce Portal ID.

44

UNDERSTANDING DELEGATED AUTHENTICATION SINGLESIGN-ON

EDITIONS


Available in: Professional,Enterprise, Performance,Unlimited, Developer, andDatabase.com Editions

USER PERMISSIONS


Configuration”


AND


Salesforce uses the following process for authenticating users using delegated authentication singlesign-on:

1. When a user tries to log in—either online or using the API—Salesforce validates the usernameand checks the user’s permissions and access settings.

2. If the user has the “Is Single Sign-On Enabled” user permission, then Salesforce does not validatethe username and password. Instead, a Web services call is made to the user’s organization,asking it to validate the username and password.

Note: Salesforce doesn’t store, log, or view the password in any way. It is disposed ofimmediately once the process is complete.

3. The Web services call passes the username, password, and sourceIp to your Webservice. (sourceIp is the IP address that originated the login request. You must create anddeploy an implementation of the Web service that can be accessed by Salesforce servers.)

4. Your implementation of the Web service validates the passed information and returns eithertrue or false.

5. If the response is true, then the login process continues, a new session is generated, and theuser proceeds to the application. If false is returned, then the user is informed that his orher username and password combination is invalid.

Note: There may be a momentary delay before a user can log in after being given delegatedauthentication due to the time required for the user account to become available in theorganization.

45

Configuring Salesforce for Delegated Authentication

EDITIONS


Available in: Professional,Enterprise, Performance,Unlimited, Developer, andDatabase.com Editions

USER PERMISSIONS


Configuration”


AND


To enable delegated authentication single sign-on (SSO) for your organization:

1. Contact Salesforce to enable delegated authentication single sign-on for your organization.

2. Build your single sign-on Web service:

a. In Salesforce, download the Web Services Description Language (WSDL) fileAuthenticationService.wsdl from Setup by entering DownloadDelegated Authentication WSDL in the Quick Find box, then selectingDownload Delegated Authentication WSDL. The WSDL describes the delegatedauthentication single sign-on service and can be used to automatically generate a server-sidestub to which you can add your specific implementation. For example, in the WSDL2Javatool from Apache Axis, you can use the --server-side switch. In the wsdl.exe toolfrom .NET, you can use the /server switch.

For a sample request and response, see Sample SOAP Message for Delegated Authenticationon page 21.

b. Add a link to your corporate intranet or other internally-accessible site that takes theauthenticated user’s credentials and passes them through an HTTP POST to the Salesforcelogin page.

Because Salesforce does not use the password field other than to pass it back to you,you do not need to send a password in this field. Instead, you could pass anotherauthentication token, such as a Kerberos Ticket so that your actual corporate passwordsare not passed to or from Salesforce.

You can configure the Salesforce delegated authentication authority to allow only tokens or to accept either tokens or passwords.If the authority only accepts tokens, a Salesforce user cannot log in to Salesforce directly, because they cannot create a validtoken. However, many companies choose to allow both tokens and passwords. In this environment, a user could still log in toSalesforce through the login page.

When the Salesforce server passes these credentials back to you in the Authenticate message, verify them, and the userwill gain access to the application.

3. In Salesforce, specify your organization’s single sign-on gateway URL from Setup by entering Single Sign-On in the QuickFind box, selecting Single Sign-On Settings, then clicking Edit. Enter the URL in the Delegated Gateway URL text box.

For security reasons, Salesforce restricts the outbound ports you may specify to one of the following:

• 80: This port only accepts HTTP connections.

• 443: This port only accepts HTTPS connections.

• 1024–66535 (inclusive): These ports accept HTTP or HTTPS connections.

4. Optionally, check the Force Delegated Authentication Callout box.

Note: When this box is unchecked, a call is not made to the SSO endpoint if the login attempt first fails because of loginrestrictions within the Salesforce organization. If you must record every login attempt, then check this box to force a calloutto the SSO endpoint regardless of login restriction failures.

5. Enable the “Is Single Sign-On Enabled” permission.

Important: If single sign-on is enabled for your org, API and desktop client users can log in to Salesforce unless their profile hasIP address restrictions set, and they try to log in from outside of the range defined. Furthermore, the single sign-on authority usually

46

Configuring Salesforce for Delegated AuthenticationUnderstanding Delegated Authentication Single Sign-On

handles login lockout policies for users with the “Is Single Sign-On Enabled” permission. However, if the security token is enabledfor your org, then your org’s login lockout settings determine how many times users can attempt to log in with an invalid securitytoken before being locked out of Salesforce.

47

Configuring Salesforce for Delegated AuthenticationUnderstanding Delegated Authentication Single Sign-On

SAMPLE DELEGATED AUTHENTICATION IMPLEMENTATIONS

Samples are available by downloading the sample code for .NET from the Salesforce Developers website.

The samples are written in C# and authenticate users against Active Directory. The first sample is a simple implementation of delegatedauthentication. The second is a more complex sample that demonstrates a single sign-on solution in conjunction with an authenticationtoken. Both samples use Microsoft .NET v1.1 and were deployed using IIS6 on a Windows 2003 server. Use the included makefileto build the samples.

Sample 1

This is implemented in simple.asmx.cs. This file declares a new class, SimpleAdAuth, that is a Web service with one method:Authenticate. There are a number of attributes declared on the method. These control the formatting of the expected requestand the generated response, and set up the service to match the message definition in the WSDL. The implementation uses the passedcredentials to try to connect to Active Directory via the LDAP provider. If it connects successfully, the credentials are good; otherwisethe credentials are not valid.

Sample 2

This is a more complex example that generates and verifies an authentication token rather than a password. The bulk of the implementationis in the sso.asmx.cs file, which defines a class SingleSignOn that can generate an authentication token and implements theauthentication service to later verify that token. The generated token consists of a token number, expiry timestamp, and username. Allthe data is then encrypted and signed.

The verification process verifies the signature, decrypts the token, checks that it has not expired, and checks that the token number hasnot been previously used. (The token number and expiration timestamp are used to prevent replay attacks.) The file gotosfdc.aspxis an ASPX page designed to be deployed and/or linked to from an intranet site. This forces the user’s authentication, generates a newauthentication token for the user, and finally POSTs that token to the Salesforce login page along with a username that is mapped fromthe local NT username. The Salesforce login process sends the authentication token back to the service, which verifies the token andlets the user into Salesforce. intranet.aspx is a simple page that links to gotosfdc.aspx so you can see this in action.

48

https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com

FREQUENTLY ASKED QUESTIONS

How do I enable single sign-on?Salesforce offers the following ways to use single sign-on:

• Federated authentication using Security Assertion Markup Language (SAML) allows you to send authentication and authorizationdata between affiliated but unrelated Web services. This enables you to sign on to Salesforce from a client application. Federatedauthentication using SAML is enabled by default for your organization.

• Delegated authentication single sign-on enables you to integrate Salesforce with an authentication method that you choose.This enables you to integrate authentication with your LDAP (Lightweight Directory Access Protocol) server, or perform singlesign-on by authenticating using a token instead of a password. You manage delegated authentication at the permission level,allowing some users to use delegated authentication, while other users continue to use their Salesforce-managed password.Delegated authentication is set by permissions, not by organization.


– Using a stronger type of user authentication, such as integration with a secure identity provider


– Differentiating your organization from all other companies that use Salesforce in order to reduce phishing attacks

You must request that this feature be enabled by Salesforce. Contact Salesforce to enable delegated authentication single sign-onfor your organization.

• Authentication providers let your users log in to your Salesforce organization using their login credentials from an external serviceprovider. Salesforce supports the OpenId Connect protocol that allows users to log in from any OpenID provider such as Google,PayPal, LinkedIn and other services supporting OpenID Connect. When authentication providers are enabled, Salesforce doesnot validate a user’s password. Instead, Salesforce uses the user’s login credentials from the external service provider to establishauthentication credentials.

Where in Salesforce do I configure single sign-on?For delegated authentication single sign-on:

• To access the WSDL, from Setup, enter API in the Quick Find box, select API, and then select Download DelegatedAuthentication WSDL.

• To specify your organization’s single sign-on gateway URL, from Setup, enter Single Sign-On Settings in the QuickFind box, select Single Sign-On Settings, and then select Edit.

• To enable the “Is Single Sign-On Enabled” user permission for your single sign-on users, from Setup, enter PermissionSets in the Quick Find box, then select Permission Sets.

For federated authentication using SAML:

• From Setup, enter Single Sign-On Settings in the Quick Find box, select Single Sign-On Settings, and thenclick Edit.

How are passwords reset when single sign-on has been implemented?Password reset is disabled for single sign-on users who use delegated authentication because Salesforce no longer manages theirpasswords. Users who try to reset their passwords in Salesforce will be directed to their Salesforce administrator.

Where can I view single sign-on login errors?For delegated authentication, administrators with the “Modify All Data” permission can view the twenty-one most recent singlesign-on login errors for your organization from Setup by entering Delegated Authentication Error History inthe Quick Find box, then selecting Delegated Authentication Error History. For each failed login, you can view the user's

49

username, login time, and the error. For federated authentication, administrators can view login errors from Setup by enteringLogin History in the Quick Find box, then selecting Login History.

Where can I find entries about login history for a failed SAML login attempt?When Salesforce cannot find the user in your assertion or cannot associate the provided user ID with a user in Salesforce, an entryis inserted in the login history. To see the login history, from Setup, enter Login History in the Quick Find box, thenselect Login History.

Does single sign-on work outside my corporate firewall?Yes, single sign-on can work outside your corporate firewall. When users are outside the corporate firewall, they can use their networkpasswords to log in to Salesforce. Alternately, you can require that users must first be connected to your corporate network in orderto log in.

Can I validate the SAML response sent by my identity provider?Yes. After you have configured single sign-on, you can access the SAML Validation page from Setup, by clicking SAML Validationon the Single Sign-On Settings page. If a user tries to log in to Salesforce and fails, the invalid SAML assertion is used to automaticallypopulate the SAML Assertion Validator if possible. On the SAML Validation page, if the SAML assertion is not automatically populated,you can enter either an XML– or base64–encoded SAML response that you've received from your service provider. Salesforce validatesthe response against the values provided during single sign-on setup, and provides detailed information about the response.

Can I configure a start page and logout page that are specific to my company?Yes.

You can customize the start, error, login, and logout pages for single sign-on users using SAML 1.1 or 2.0. As part of your configuration,decide the following:

• If your identity provider uses SAML 1.1, the URL to direct the user to when single sign-on successfully completes (known as thestart page). This URL can be absolute, such as https://yourInstance.salesforce.com/001/o or it can berelative, such as /001/o. This URL must be an endpoint that accepts SAML authentication requests.

In SAML 2.0, the start page is the page the user attempted to access before they were authenticated. The SAML 2.0 start pagemust support Sp-init single sign-on.

If you are using SAML 2.0, you can also use the RelayState parameter to control where users get redirected after a successfullogin.

• The single sign-on start page where Salesforce sends a SAML request to start the login sequence.

We recommend that if you specify a single sign-on start page that you also specify a logout page. When you specify a logoutpage, when a user clicks logout or if a user’s session expires, the user is redirected to that page. If you don’t specify a logout page,the user is redirected to the general Salesforce login page.

• The URL to direct the user to when they click the Logout link in Salesforce (known as the logout page). The default ishttps://login.salesforce.com, unless MyDomain is enabled. If My Domain is enabled, the default ishttps://customdomain.my.salesforce.com.

See Customize SAML Start, Error, Login, and Logout Pages on page 13.

Does Salesforce delegated authentication support SAML tokens?Yes, SAML tokens can be used with the sample delegated authentication implementations using the listener validating the token.

Can delegated authentication single sign-on work with Connect Offline?Yes, delegated authentication can work with Connect Offline if it is set up to work with both tokens and passwords. In this case,users should use their network password to access Connect Offline.

50

Frequently Asked Questions

INDEX

DDelegated authentication

configuring single sign-on 46sample implementations 48single sign-on 45

EError page

customizing in SAML 13

IIdentity provider

values 9

JJust-in-time provisioning

example SAML assertions 14Just-in-Time provisioning

community requirements 35portal requirements 32requirements 30

Just-in-Time provisioning errors 38

LLogging in

SAML start page 13Logging out

SAML 13

PPortals

single sign-on 44

SSAML

about 3custom error page 13

SAML (continued)example assertions 14Just-in-Time for communities 35Just-in-Time for portals 32Just-in-Time provisioning 30Just-in-Time provisioning errors 38Just-in-Time provisioning requirements 30login history 29login page 13logout page 13prerequisites 8single sign-on 4start page 13validating single sign-on 26validation errors 27viewing single sign-on 25

SecurityJust-in-Time for communities 35Just-in-Time for portals 32Just-in-Time provisioning 30Just-in-Time provisioning requirements 30portals single sign-on 44

Single sign-onbest practices 41configuring delegated authentication 46debugging 26delegated authentication 45, 48example SAML assertions 14FAQ 49identity provider values 9login history 29overview 1portals 44prerequisites 8SAML 4SAML validation 26viewing 25

51

Documents

Single Sign-On Implementation Guide - salesforce.comresources.docs.salesforce.com/.../pdf/salesforce_single_sign_on.pdf · Single Sign-On Implementation Guide Salesforce, ... single